Leaky Access Tokens Exposed Amazon Photos of Users
According to new researcher, hackers who have obtained access to Amazon users’ authentication tokens could have taken the opportunity to steal or encrypt personal photos and document. Security researchers report that the Amazon Photos app for Android does not protect user access tokens properly. Due to the exposed tokens, attackers and malicious actors could access personal data belonging to the token holder through a number of different Amazon apps such as Amazon Drive. In addition, this offers attackers the ability to conduct a ransomware attack that could have effects such as permanently deleting photos and documents.
The findings were reported in the fall of last year to Amazon’s Vulnerability Research Program. In December, Amazon announced that the issues had been fully resolved. However, loose tokens still exist. Software suite vendors such as Amazon use access tokens to offer convenience to its users, but this may also present an opportunity for attackers.